Again — Re-enter the preshared key. Do not copy and paste from the previous field.

4.

Click Save.

5.

Go to Network > VPN > IPSec roadwarriors.

6.

Configure the following:

•

Name — Configure a meaningful name for this VPN.

•

Enabled — New VPNs are enabled by default. Clear the check box to create a disabled VPN.

•

Local IP — From the drop-down list, select the local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though it is possible to select a Basic interface to create an internal tunnel.

•

Local network — Enter the local IP address and network mask, using the format: <IP_address>/<network_mask>.

It is possible to restrict (or extend) the hosts that a roadwarrior can see on its assigned internal network by changing this setting.

For example, if you wish to restrict the connected roadwarrior to a specific IP address such as 192.168.2.10, set the local network to 192.168.2.10/32.

Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/255.255.255.0 to allow the roadwarrior to access all addresses in the range 192.168.2.0 to 192.168.2.255.

•

Client IP — Enter a valid client IP address for this roadwarrior tunnel. The specified IP address must be available on the network specified for Local network.

•

Local ID type — From the drop-down list, choose the identity type that is presented. Valid values are:

Local ID Type

Description

Default local Certificate Subject

Uses the subject field of the default local certificate as the local certificate ID.

This is the recommended setting for roadwarrior connections.

Local IP

Uses the local IP address of the host as the local certificate ID.

User specified Host & Domain Name

Uses a user specified host and domain name as the local certificate ID.

User specified IP address

Uses a user specified IP address name as the local certificate ID.

User specified Email address

Uses a user specified email address as the local certificate ID.

User specified Certificate Subject

Uses a user specified certificate subject as the local certificate ID.

Note: Typically, user specified ID types are used when connecting to non-Smoothwall VPN gateways. For more information regarding the required IP types, including the formatting required, refer to your vendor's documentation.

•

Local ID value — If the Local ID type is user defined, enter the host and domain name, IP address, email address, or certificate subject as required.

Typically, you can leave this field blank because the value is automatically retrieved during the connection process, according to the chosen Local ID type.

•

Remote ID type — From the drop-down list, select Remote IP (or ANY if blank Remote IP). This is the recommended setting as it allows the roadwarrior to present any form of valid identity credentials.

•

Remote ID value — Enter the value of the remote ID used in the certificate that the roadwarrior is expected to use.

•

Authenticate by — From the drop-down list, select the authentication method:

Authentication Method

Description

<Roadwarrior_certificate>

Use the roadwarrior’s certificate created in step 1.

Certificate presented by peer

Use a certificate created by a different Certificate Authority. Authenticating by a named certificate is recommended for easier management.

Preshared key

Use the global preshared key defined in step 3.

•

Use compression — Select to compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems.

The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels may decrease performance. The same rule applies when transferring data that is already compressed, for example, streaming video.

For any tunnel with a high proportion of encrypted or already-compressed traffic, compression is not recommended. For non-encrypted, uncompressed traffic compression is recommended.

•

Comment — Configure an optional comment for this VPN.

7.

If additional settings are required, click Advanced.

8.

Configure the following:

•

Local certificate — If non-standard X509 authentication is used for this VPN, choose the local certificate from the drop-down list. For more information, see Using Multiple Local Certificates .

•

Perfect forward secrecy — Select to enable the use of the prefect forward secrecy (PFS) key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised.

PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.

•

Authentication type — From the drop-down list, choose the authentication method. This setting must be the same on both tunnel specifications of two connecting gateways. Valid values are:

IP Authentication Header (AH) uses IP Protocol 51 and ensures authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.

•

Phase 1 cryptographic algo — From the drop-down list, select the encryption algorithm to use in the first phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways. Valid values are:

Encryption Algorithm

Description

3DES

A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.

Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.

•

Phase 1 hash algo — From the drop-down list, select the hashing algorithm to use in the first phases when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways. Valid values are:

Hashing Algorithm

Description

MD5

A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility.

SHA

Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security.

•

Phase 2 cryptographic algo — From the drop-down list, select the encryption algorithm to use in the second phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways. Valid values are:

Encryption Algorithm

Description

3DES

A triple strength version of the DES cryptographic standard using a 168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.

Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.

•

Phase 2 hash algo — From the drop-down list, select the hashing algorithm to use in the second phase when establishing the VPN connection. This setting must be the same on both tunnel specifications of two connecting gateways. Valid values are:

Hashing Algorithm

Description

MD5

A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility.

SHA

Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security.

•

Key life — Configure the length of time, in minutes, that a set of keys can be used for. After the Key life value has expired, new encryption keys are generated, reducing the threat of snooping attacks.

The default, and maximum, value of 60 minutes is recommended.

•

Key tries — Configure the number of connection attempts before failing.

The default value of 0 allows the host to continuously re-key the connection. However, a non-initiating VPN gateway should not use the default value as the connection cannot be initiated.

•

IKE lifetime — Configure the length of time, in minutes, the Internet Key Exchange (IKE) keys are re-exchanged.

•

Do not rekey — Select this option to disable re-keying. This can be useful when working with NAT-ed end points.